WO2008094725A1 - Procédé de génération d'empreinte digitale en utilisant un code à nombre pseudo-aléatoire - Google Patents

Procédé de génération d'empreinte digitale en utilisant un code à nombre pseudo-aléatoire Download PDF

Info

Publication number
WO2008094725A1
WO2008094725A1 PCT/US2008/050475 US2008050475W WO2008094725A1 WO 2008094725 A1 WO2008094725 A1 WO 2008094725A1 US 2008050475 W US2008050475 W US 2008050475W WO 2008094725 A1 WO2008094725 A1 WO 2008094725A1
Authority
WO
WIPO (PCT)
Prior art keywords
client device
code
prn
registration
information
Prior art date
Application number
PCT/US2008/050475
Other languages
English (en)
Inventor
John B Sims
Mykola P Samoylov
Original Assignee
The Boeing Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by The Boeing Company filed Critical The Boeing Company
Priority to DE112008000298.3T priority Critical patent/DE112008000298B4/de
Publication of WO2008094725A1 publication Critical patent/WO2008094725A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • G06F21/445Program or device authentication by mutual authentication, e.g. between devices or programs

Definitions

  • the present disclosure relates to methods for authorizing and verifying the identity of a first device that is attempting to access, over a network, a second device, and more particularly to a method for generating a digital fingerprint for a client device using a pseudo random number.
  • the distribution of information from a system, for example a system server, to a client device that is communication with the system server via network, requires an assurance that the client device is authorized to receive the content that it is requesting from the system server. This is especially so with automated or "hands-free" distribution of information from a system to a client device.
  • the client device must be uniquely identified and known to the system before the system transmits information to the client device. Put differently, the identity of the client device must be verified by the system server before the system server begins releasing information to the client device.
  • the present disclosure is directed to a method for assuring the identity of a first device that is attempting to access and obtain information from a second device on a network.
  • the first device comprises a client device and the second device comprises a system or server having information that the client device is attempting to obtain.
  • the method involves performing an initial registration process for client device.
  • the registration process involves reading a network address of a component of the client device, in addition to reading a predetermined piece of information from the client device that pertains to a hardware component incorporated in the client device.
  • a cryptographic program is used to receive the network address and the predetermined piece of information as inputs and to generate therefrom a registration Identification (ID) code for the client device.
  • ID registration Identification
  • the client device supplies the registration ID code, and at least one additional piece of user identifying information, to the system when making a call to the system over the network.
  • the identifying information will be known to the system in advance.
  • the system uses the piece of user identifying information as an initial verification of the authenticity of the identity of the client device.
  • the system then generates a pseudo random number (PRN) code.
  • the PRN code is transmitted from the system to the client device where it may be used by the client device with each subsequent communication that it transmits to the system.
  • the PRN code is stored by the client device preferably only right before the present call with the system is terminated. Similarly, the system preferably does not store the PRN code on a mass storage device of its own until just before the call is terminated.
  • the client device uses its stored PRN code to help generate a new, unique, one time only ID code that can be used to authenticate its identity to the system.
  • the client device does this by using the stored PRN code as an input for its PRN generator, which results in a new PRN code being generated.
  • the new PRN code will be the next number in a PRN sequence.
  • the registration ID code is also regenerated by using the hardware and network address inputs as described above for the initial registration process.
  • the registration ID code may then be input to the cryptographic program associated with the client device to generate a unique, one time only, client-side hash code.
  • This one time only, client- side hash code essentially represents a new, one time only digital fingerprint for the client device.
  • the system performs a similar operation at its side.
  • the system uses the previously stored PRN code generated during the initial registration process as an input to its PRN generator to generate a new PRN code.
  • the new PRN code is used with the stored registration ID code for the particular client device now making the new call to the system, as an input to its associated PRN generator to generate a new PRN code, which represents the next PRN code in a PRN sequence.
  • the PRN generators used by the client device and the system are the same, and will thus always produce the exact same output given the exact same input.
  • the system then uses the new PRN code it has just generated as an input, together with the previously stored registration ID code, to its associated cryptographic hash program.
  • the cryptographic hash program generates a one time only, system- side, unique hash code.
  • the cryptographic hash program is identical to the hash program being used by the client device.
  • the system compares the client-side hash code that it has just received, with the system-side hash code that it has just generated, to see if they match. If they do, then the identity of the client device making the new call to the system is authenticated. The system then allows further communication between it and the client device to proceed. If a match does not exist, then the system terminates the call.
  • the new PRN code is stored by both the client device and the system, but preferably not until just before concluding communication.
  • the above-described registration program operating on the control device reads a network address of a network card of the client device and a volume serial ID number of a mass storage device on the client device.
  • the user identifying information supplied by the user with the registration ID code when making a call to the system may comprise one or more of a user name, user password and user selected device name for the client device.
  • Figure 1 is an environmental block view diagram illustrating a typical environment in which the method of the present disclosure may be employed, in which a client device is in communication over a wide area network with a remotely located system server;
  • Figure 2 is a flowchart of an exemplary method for generating a registration ID code for the client device shown in Figure 1 ;
  • Figure 3 is a flowchart of an exemplary procedure for initially registering the client device for use with the system server.
  • Figure 4 is a flowchart of an exemplary future call sequence, by which the client device regenerates its ID hash code and by which the system server uses the regenerated ID hash code to authenticate the identity of the client device.
  • the system 10 includes a system server 12 that is remotely coupled via a wide area network 14, for example the Internet, with at least one client device 16a-16f.
  • the illustration of a plurality of client devices 16a-16f is merely meant to illustrate that in a typical scenario more than one client device 16 will often be operating on the network and capable of bi-directional communication with the system server 12.
  • the system server 12 includes a pseudo random number (PRN) generator 12a.
  • PRN pseudo random number
  • the client devices 16a-16f typically each comprise computer terminals that each include a display terminal 18, a keyboard 20 for data entry, and a computing module 22.
  • the computing module 22 typically includes a networking card 24 and a mass storage device, for example a hard disc drive 26.
  • Each client device 16 includes a pseudo random number (PRN) generator 27 that may be stored on the hard disc drive 26.
  • the PRN generator 27 is preferably a robust PRN generator known to have a high periodicity.
  • the client devices 16a-16f may each be identical or they may be of slightly different configurations, but in any event each represents a computing device that is able to make a call to the system server 12 and bi-directionally communicate over the wide area network 14 with the system server 12.
  • a flowchart 32 illustrates an exemplary process for generating a registration Identification (ID) code in accordance with one implementation of the method of the present disclosure.
  • ID registration Identification
  • the generation of a registration ID code enables a unique code to be created that takes into account specific hardware features of the particular client device 16 that will be making contact with the system server 12 in an attempt to obtain information from the system server 12.
  • a particular advantage is that the registration ID code created from the operations of flowchart 32 is uniquely tied to the particular client device 16 making the call to the system server 12.
  • the primary MAC address of the network interface 24 in the computing module 22 of the client device 16 is read.
  • the volume serial ID number of the primary partition of the hard drive 26 of the computing module 22 is read.
  • a cryptographic hash function is executed by the client device 16 using the primary MAC address and the volume serial ID number of the client device 16, to thus generate a registration ID code for the client device 16. It will be appreciated that the operation set forth in Figure 2 is performed each time a new call is made by the client device 16 to establish a new information exchange session with the system server 12, and is required to be performed before information from the system server 12 will be transmitted to the client device 16.
  • the cryptographic hash function performed in operation 38 is preferably a one-way cryptographic function that generates a unique sequence of bits or "hash code".
  • One specific type of cryptographic hash function that is suitable for use is known as the "Whirlpool" cryptographic hash function developed by V. Rijmen and P. Barreto.
  • the Whirlpool cryptographic hash function operates on messages less than 2 256 bits in length, and produces a message digest of 512 bits.
  • the cryptographic hash function can be mathematically proven to generate a given hash code, given the same inputs, each time it is executed. Furthermore, given the hash code alone, the inputs to the hash function are virtually impossible to deduce.
  • the hash function is further highly resistant to attempts to guess the inputs by repeated, minor modifications to the inputs and then repeatedly examining the resulting hash code.
  • registration ID code Another significant benefit of the registration ID code is automatically computed from the underlying hardware environment of each client device 16 each time the client device 16 is used. Thus, the registration ID code is never stored on the hard drive 26 of the client device 16, and is therefore not susceptible to hacking or other form of loss from other devices that may gain unauthorized access to the network.
  • an initial registration process 40 is presented that enables a given client device 16 to be registered for use with the system server 12.
  • the client device 16 is used to call the system server 12.
  • the user operating the client device 16 preferably provides a pre-selected "User Name”, a pre-selected "Password” and a pre-selected "Registration Name”, as inputs to the specific client device 16 that is being used to make the call to the system server 12. It is preferred that all three such inputs are provided, although it will be appreciated that a high level of security would still be obtained even if only one or two of the above-mentioned user selected identifying items were supplied.
  • the client device 16 automatically supplies the Registration ID code that has been immediately, previously generated by the registration software program, to the system server 16.
  • the system server 16 checks to see if a different client device with the same "Registration Name” as that input by the user is already in use. If the answer to this inquiry is "YES”, then access to the system server 12 is denied and the process of registering the client device 16 with the system server 12 is terminated. If the answer to the inquiry in operation 48 is "NO”, then the "Registration Name” and the "Registration ID” provided by the client device 16 are stored in the system server 12 (i.e., on a suitable mass storage device associated with the system server 12).
  • the system server 12 uses its PRN generator 12a to generate a PRN code and transmits this PRN code to the client device 16 that is making the call.
  • both the system server 12 and the client device 16 store the PRN code.
  • the PRN code may be stored on the hard disc drive 26 of client device 16.
  • the system server 12 may store the PRN code on any form of suitable mass storage device (hard disc drive, magnetic tape storage device, etc.) that it is operably associated with.
  • the client device 16 uses the stored PRN code when making a future call to the system server 12.
  • the PRN code is used to help generate a new, unique, one time only ID hash code that effectively acts as a digital fingerprint for the client device 16 when the client device 16 makes a future call to the system server 12. This will be explained further in the following paragraphs.
  • a plurality of exemplary operations for making a new, subsequent call from the client device 16 to the system 12 are set forth. It will be understood that the previous information exchange session between the client device 16 and the system server 12 has been terminated, and that the client device 16 is now calling the system server 12 and attempting to begin a new information exchange session.
  • the client device 16 uses the stored PRN code generated from the previous information exchange session as an input to its PRN generator 27 to generate a new PRN that represents the next PRN in the PRN sequence.
  • the client device 16 uses the new PRN and the newly generated registration ID code as inputs to a cryptographic hash program operating in connection with the client device 16.
  • the cryptographic hash program may be stored on the hard disc drive 26 of the client device 12 or stored on another non-volatile storage medium that is communication with the computing module 22 of the client device 16.
  • the cryptographic hash program generates a one time only "client-side" hash code that uniquely identifies the particular client device 16 that is about to make a new call to the system server 12.
  • the client device 16 then initiates a new call to the system server 12 and supplies the new client-side hash code to the system server 12.
  • the system server 12 uses the previously stored PRN for the client device 16 that is now making a new call to it, as an input to its own PRN generator 12a. From this operation, the system server 12 generates a new "system-side" PRN code that is the next PRN code in the PRN sequence.
  • the new system-side PRN code and the registration ID code presented by the client device 16 are then used as inputs to a cryptographic hash program that is stored on a memory medium (e.g., hard disc drive or other non-volatile memory) associated with the system server 12.
  • a cryptographic hash program that is stored on a memory medium (e.g., hard disc drive or other non-volatile memory) associated with the system server 12. This operation generates a unique, one time only, "system-side" hash code.
  • the cryptographic hash program used by the client device 16 and the cryptographic hash program used by the system server 12 are identical programs that will generate the same output hash code, given the exact same inputs.
  • the PRN generator 27 of the client device 16 and the PRN generator of the system server 12 are identical, and therefore will generate identical PRN codes given the exact same input.
  • the system server 12 compares the system-side hash code to the client-side hash code to see if they match. If they do not, the system server 12 terminates the call that the client device 16 is making, as indicated at operation 70. If they do match, then this authenticates the identity of the client device 16 to the system server 12, as indicated at operation 72.
  • the system server 12 then allows an information exchange session to be conducted between it and the client device 16.
  • the system server 12 and the client device 16 both store their new (i.e., identical) PRN codes in their respective memories. Waiting until the end of a call to store the newly generated PRN codes in memory adds an additional degree of security for both the client device 16 and the system server 12, as this code will not able available to any unauthorized device that may gain unauthorized access to the client device 16 or the system server 12 on the network 14
  • the method of the present disclosure provides a significant benefit in that cumbersome and/or costly procedures are not required by users of the client device 16. Since the registration ID code is obtained from a combination of factors derived from the hardware characteristics of the particular client device 16, the network address of the client device 16, this makes it virtually or entirely impossible for an unauthorized device to generate a registration ID code that fraudulently identifies itself as an authorized client device. Furthermore, an additional layer of security is provided because credential information supplied by the user cannot be obtained or derived by reading any files from the client device 16. Also, since a new pseudo random number code is a "one-time-only" code that is generated each time the client device 16 calls the system server 12, there is no virtually no risk that an unauthorized device can obtain and/or use this code.

Abstract

L'invention concerne un procédé pour l'authentification de l'identité d'un dispositif client qui tente d'établir une liaison de communication avec un serveur de système situé à distance sur un réseau. Le procédé implique la génération initiale d'un code d'identification d'enregistrement unique en entrant des informations se rapportant à des caractéristiques matérielles du dispositif client lui-même et une adresse réseau du dispositif client, dans une fonction de hachage cryptographique. La fonction de hachage génère le code de hachage d'identification d'enregistrement unique et le présente au serveur de système. Le serveur de système utilise ce code de hachage d'identification d'enregistrement pour authentifier l'identité du dispositif client effectuant l'appel. Le serveur de système génère ensuite un nombre pseudo-aléatoire (PRN), et le transmet au dispositif client. Le PRN est utilisé la fois suivante où le dispositif client effectue un appel vers le serveur de système pour générer un code d'hachage côté client unique, qui est utilisé par le serveur de système pour authentifier l'identité du dispositif client.
PCT/US2008/050475 2007-02-01 2008-01-08 Procédé de génération d'empreinte digitale en utilisant un code à nombre pseudo-aléatoire WO2008094725A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
DE112008000298.3T DE112008000298B4 (de) 2007-02-01 2008-01-08 Verfahren zum Erzeugen eines digitalen Fingerabdrucks mittels eines Pseudozufallszahlencodes

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US11/670,007 2007-02-01
US11/670,007 US8590024B2 (en) 2007-02-01 2007-02-01 Method for generating digital fingerprint using pseudo random number code

Publications (1)

Publication Number Publication Date
WO2008094725A1 true WO2008094725A1 (fr) 2008-08-07

Family

ID=39523574

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2008/050475 WO2008094725A1 (fr) 2007-02-01 2008-01-08 Procédé de génération d'empreinte digitale en utilisant un code à nombre pseudo-aléatoire

Country Status (3)

Country Link
US (1) US8590024B2 (fr)
DE (1) DE112008000298B4 (fr)
WO (1) WO2008094725A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012031756A1 (fr) * 2010-09-09 2012-03-15 Loginpeople Sa Procédé de génération de pages web personnalisées
US9424012B1 (en) 2016-01-04 2016-08-23 International Business Machines Corporation Programmable code fingerprint

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4219965B2 (ja) * 2006-09-20 2009-02-04 株式会社Psd ワンタイムidによる認証
JP5527216B2 (ja) * 2008-12-03 2014-06-18 日本電気株式会社 識別情報管理システム、識別情報の生成方法及び管理方法、端末、並びに生成及び管理プログラム
US8069155B2 (en) * 2009-01-07 2011-11-29 Oracle International Corporation Securing DBMS event notifications
EP2619680A1 (fr) * 2010-09-23 2013-07-31 Hewlett-Packard Development Company, L.P. Procédés, appareil et systèmes de surveillance d'emplacements de données dans service de réseau
JP5624510B2 (ja) * 2011-04-08 2014-11-12 株式会社東芝 記憶装置、記憶システム及び認証方法
US8789154B2 (en) * 2011-06-30 2014-07-22 Qualcomm Incorporated Anti-shoulder surfing authentication method
US8763101B2 (en) * 2012-05-22 2014-06-24 Verizon Patent And Licensing Inc. Multi-factor authentication using a unique identification header (UIDH)
CN103780578A (zh) * 2012-10-22 2014-05-07 腾讯科技(深圳)有限公司 一种帐号生成方法、系统和装置
US9237021B2 (en) * 2013-03-15 2016-01-12 Hewlett Packard Enterprise Development Lp Certificate grant list at network device
US9219722B2 (en) * 2013-12-11 2015-12-22 Globalfoundries Inc. Unclonable ID based chip-to-chip communication
US11538005B2 (en) * 2013-12-16 2022-12-27 Mx Technologies, Inc. Long string pattern matching of aggregated account data
US10341342B2 (en) 2015-02-05 2019-07-02 Carrier Corporation Configuration data based fingerprinting for access to a resource
US10541996B1 (en) 2015-06-15 2020-01-21 National Technology & Engineering Solutions Of Sandia, Llc Methods and systems for authenticating identity
CN107483534B (zh) * 2017-06-28 2020-07-28 阿里巴巴集团控股有限公司 一种业务处理的方法及装置
US10706135B2 (en) * 2018-02-27 2020-07-07 Ricoh Company, Ltd. Fingerprint authentication mechanism
CN110489351B (zh) * 2018-05-14 2021-03-09 英韧科技(上海)有限公司 芯片指纹管理装置及安全芯片
CN113449274B (zh) * 2020-03-24 2022-10-25 浪潮卓数大数据产业发展有限公司 一种基于生物特征生成随机数的方法、设备及介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010685A1 (en) * 2002-02-25 2004-01-15 Sony Corporation Service providing apparatus and server providing method
WO2005107137A2 (fr) * 2004-04-23 2005-11-10 Passmark Security, Inc. Methode et appareil pour authentifier les utilisateurs utilisant au moins deux facteurs

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5604803A (en) * 1994-06-03 1997-02-18 Sun Microsystems, Inc. Method and apparatus for secure remote authentication in a public network
KR100213188B1 (ko) * 1996-10-05 1999-08-02 윤종용 사용자 인증 장치 및 방법
US6128661A (en) * 1997-10-24 2000-10-03 Microsoft Corporation Integrated communications architecture on a mobile device
US6754820B1 (en) * 2001-01-30 2004-06-22 Tecsec, Inc. Multiple level access system
US20020078352A1 (en) * 2000-12-15 2002-06-20 International Business Machines Corporation Secure communication by modification of security codes
US20070113090A1 (en) * 2004-03-10 2007-05-17 Villela Agostinho De Arruda Access control system based on a hardware and software signature of a requesting device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040010685A1 (en) * 2002-02-25 2004-01-15 Sony Corporation Service providing apparatus and server providing method
WO2005107137A2 (fr) * 2004-04-23 2005-11-10 Passmark Security, Inc. Methode et appareil pour authentifier les utilisateurs utilisant au moins deux facteurs

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OORSCHOT VAN ET AL: "HANDBOOK OF APPLIED CRYPTOGRAPHY", HANDBOOK OF APPLIED CRYPTOGRAPHY, BOCA RATON, FL, CRC PRESS.; US, US, 1 January 1997 (1997-01-01), pages 395 - 397, XP002134672, ISBN: 978-0-8493-8523-0 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012031756A1 (fr) * 2010-09-09 2012-03-15 Loginpeople Sa Procédé de génération de pages web personnalisées
FR2964766A1 (fr) * 2010-09-09 2012-03-16 Mobilegov France Procede de generation de pages web personnalisees
US9424012B1 (en) 2016-01-04 2016-08-23 International Business Machines Corporation Programmable code fingerprint
US9946521B2 (en) 2016-01-04 2018-04-17 International Business Machines Corporation Programmable code fingerprint

Also Published As

Publication number Publication date
DE112008000298B4 (de) 2016-12-15
US20080189772A1 (en) 2008-08-07
US8590024B2 (en) 2013-11-19
DE112008000298T5 (de) 2009-11-26

Similar Documents

Publication Publication Date Title
US8590024B2 (en) Method for generating digital fingerprint using pseudo random number code
EP2115993B1 (fr) Procédé de génération d'empreinte numérique
CA2241052C (fr) Systeme de securite a niveaux d'application et procede associe
CA2578186C (fr) Systeme et procede de commande d'acces
CN102217277B (zh) 基于令牌进行认证的方法和系统
CN105516195B (zh) 一种基于应用平台登录的安全认证系统及其认证方法
CN111275419B (zh) 一种区块链钱包签名确权方法、装置及系统
CN109981562B (zh) 一种软件开发工具包授权方法及装置
CN110990827A (zh) 一种身份信息验证方法、服务器及存储介质
EP1886204B1 (fr) Procede de transaction et procede de verification
JP2010525448A5 (fr)
CN103853950A (zh) 一种基于移动终端的认证方法及移动终端
CN112396735B (zh) 网联汽车数字钥匙安全认证方法及装置
CN111800378A (zh) 一种登录认证方法、装置、系统和存储介质
JP2007280393A (ja) コンピューターログインをコントロールする装置およびその方法
CN112437068B (zh) 认证及密钥协商方法、装置和系统
JP2004206258A (ja) 多重認証システム、コンピュータプログラムおよび多重認証方法
CN116866093B (zh) 身份认证方法、身份认证设备以及可读存储介质
JP4578352B2 (ja) 通信媒介装置、データ提供装置およびデータ提供システム
CN113554783B (zh) 一种认证数据的存储方法、装置和计算机可读存储介质
CN117424709B (zh) 终端设备的登录方法、设备以及可读存储介质
CN112395574B (zh) 一种安全登录管理方法
CN116248280B (zh) 免密钥发行的安全模组防盗用方法、安全模组及装置
CN113672898B (zh) 服务授权方法、授权设备、系统、电子设备及存储介质
CN116155554A (zh) 发电调度系统的登录验证方法、装置、系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08727410

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 1120080002983

Country of ref document: DE

RET De translation (de og part 6b)

Ref document number: 112008000298

Country of ref document: DE

Date of ref document: 20091126

Kind code of ref document: P

122 Ep: pct application non-entry in european phase

Ref document number: 08727410

Country of ref document: EP

Kind code of ref document: A1

REG Reference to national code

Ref country code: DE

Ref legal event code: 8607